/*     */ package com.zimbra.qa.unittest.prov.ldap;
/*     */ 
/*     */ import com.zimbra.common.service.ServiceException;
/*     */ import com.zimbra.cs.account.AccessManager;
/*     */ import com.zimbra.cs.account.AccessManager.ViaGrant;
/*     */ import com.zimbra.cs.account.Account;
/*     */ import com.zimbra.cs.account.DistributionList;
/*     */ import com.zimbra.cs.account.Domain;
/*     */ import com.zimbra.cs.account.Entry;
/*     */ import com.zimbra.cs.account.GlobalGrant;
/*     */ import com.zimbra.cs.account.Group;
/*     */ import com.zimbra.cs.account.GuestAccount;
/*     */ import com.zimbra.cs.account.NamedEntry;
/*     */ import com.zimbra.cs.account.accesscontrol.GranteeType;
/*     */ import com.zimbra.cs.account.accesscontrol.Right;
/*     */ import com.zimbra.cs.account.accesscontrol.RightCommand;
/*     */ import com.zimbra.cs.account.accesscontrol.TargetType;
/*     */ import com.zimbra.cs.account.ldap.LdapProv;
/*     */ import com.zimbra.cs.service.AuthProvider;
/*     */ import com.zimbra.soap.admin.type.GranteeSelector.GranteeBy;
/*     */ import com.zimbra.soap.type.TargetBy;
/*     */ import org.junit.AfterClass;
/*     */ import org.junit.Assert;
/*     */ import org.junit.BeforeClass;
/*     */ import org.junit.Test;
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ public class TestACLNegativeGrant
/*     */   extends LdapTest
/*     */ {
/*     */   private static LdapProvTestUtil provUtil;
/*     */   private static LdapProv prov;
/*     */   private static Domain baseDomain;
/*     */   private static String BASE_DOMAIN_NAME;
/*     */   private static Account globalAdmin;
/*     */   
/*     */   @BeforeClass
/*     */   public static void init()
/*     */     throws Exception
/*     */   {
/*  59 */     provUtil = new LdapProvTestUtil();
/*  60 */     prov = provUtil.getProv();
/*  61 */     baseDomain = provUtil.createDomain(baseDomainName());
/*  62 */     BASE_DOMAIN_NAME = baseDomain.getName();
/*  63 */     globalAdmin = provUtil.createGlobalAdmin("globaladmin", baseDomain);
/*     */     
/*  65 */     ACLTestUtil.initTestRights();
/*     */   }
/*     */   
/*     */   @AfterClass
/*     */   public static void cleanup() throws Exception {
/*  70 */     Cleanup.deleteAll(new String[] { baseDomainName() });
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */   private void grantRight(Account authedAcct, TargetType targetType, NamedEntry target, GranteeType granteeType, NamedEntry grantee, Right right, ACLTestUtil.AllowOrDeny grant)
/*     */     throws ServiceException
/*     */   {
/*  78 */     RightCommand.grantRight(prov, authedAcct, targetType.getCode(), TargetBy.name, target == null ? null : target.getName(), granteeType.getCode(), GranteeSelector.GranteeBy.name, grantee.getName(), null, right.getName(), grant.toRightModifier());
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   protected void revokeRight(Account authedAcct, TargetType targetType, NamedEntry target, GranteeType granteeType, NamedEntry grantee, Right right, ACLTestUtil.AllowOrDeny grant)
/*     */     throws ServiceException
/*     */   {
/*  89 */     RightCommand.revokeRight(prov, authedAcct, targetType.getCode(), TargetBy.name, target == null ? null : target.getName(), granteeType.getCode(), GranteeSelector.GranteeBy.name, grantee.getName(), right.getName(), grant.toRightModifier());
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */   protected void verify(Account grantee, Entry target, Right right, ACLTestUtil.AsAdmin asAdmin, ACLTestUtil.AllowOrDeny expected, ACLTestUtil.TestViaGrant expectedVia)
/*     */     throws Exception
/*     */   {
/*  98 */     AccessManager accessMgr = AccessManager.getInstance();
/*     */     
/*     */ 
/*     */ 
/*     */ 
/* 103 */     AccessManager.ViaGrant via = expectedVia == null ? null : new AccessManager.ViaGrant();
/* 104 */     boolean result = accessMgr.canDo(grantee == null ? null : grantee, target, right, asAdmin.yes(), via);
/* 105 */     Assert.assertEquals(Boolean.valueOf(expected.allow()), Boolean.valueOf(result));
/* 106 */     ACLTestUtil.TestViaGrant.verifyEquals(expectedVia, via);
/*     */     
/*     */ 
/* 109 */     via = expectedVia == null ? null : new AccessManager.ViaGrant();
/* 110 */     result = accessMgr.canDo(grantee == null ? null : AuthProvider.getAuthToken(grantee), target, right, asAdmin.yes(), via);
/*     */     
/* 112 */     Assert.assertEquals(Boolean.valueOf(expected.allow()), Boolean.valueOf(result));
/* 113 */     ACLTestUtil.TestViaGrant.verifyEquals(expectedVia, via);
/*     */     
/*     */ 
/* 116 */     via = expectedVia == null ? null : new AccessManager.ViaGrant();
/* 117 */     result = accessMgr.canDo(grantee == null ? null : grantee.getName(), target, right, asAdmin.yes(), via);
/*     */     
/* 119 */     if (((grantee instanceof GuestAccount)) && (((GuestAccount)grantee).getAccessKey() != null))
/*     */     {
/*     */ 
/*     */ 
/*     */ 
/* 124 */       return;
/*     */     }
/* 126 */     Assert.assertEquals(Boolean.valueOf(expected.allow()), Boolean.valueOf(result));
/* 127 */     ACLTestUtil.TestViaGrant.verifyEquals(expectedVia, via);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   @Test
/*     */   public void groupGranteeTest1()
/*     */     throws Exception
/*     */   {
/* 141 */     Account authedAcct = globalAdmin;
/*     */     
/* 143 */     Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
/*     */     
/*     */ 
/*     */ 
/*     */ 
/* 148 */     Account account = provUtil.createDelegatedAdmin(genAcctNameLocalPart("acct"), baseDomain);
/* 149 */     Group group1 = provUtil.createAdminGroup(genAcctNameLocalPart("group1"), baseDomain);
/* 150 */     Group group2 = provUtil.createAdminGroup(genAcctNameLocalPart("group2"), baseDomain);
/* 151 */     prov.addGroupMembers(group1, new String[] { account.getName() });
/* 152 */     prov.addGroupMembers(group2, new String[] { account.getName() });
/*     */     
/*     */ 
/*     */ 
/*     */ 
/* 157 */     Account target = provUtil.createAccount(genAcctNameLocalPart("target"), baseDomain);
/* 158 */     grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, group1, right, ACLTestUtil.AllowOrDeny.ALLOW);
/* 159 */     grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, group2, right, ACLTestUtil.AllowOrDeny.DENY);
/*     */     
/*     */ 
/*     */ 
/* 163 */     ACLTestUtil.TestViaGrant via = new ACLTestUtil.TestViaGrant(TargetType.account, target, GranteeType.GT_GROUP, group2.getName(), right, true);
/* 164 */     verify(account, target, right, ACLTestUtil.AsAdmin.AS_ADMIN, ACLTestUtil.AllowOrDeny.DENY, via);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   public void groupGranteeTest2()
/*     */     throws Exception
/*     */   {
/* 193 */     Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
/*     */     
/*     */ 
/*     */ 
/*     */ 
/* 198 */     Account authedAcct = globalAdmin;
/*     */     
/* 200 */     Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
/*     */     
/*     */ 
/*     */ 
/*     */ 
/* 205 */     Account account = provUtil.createDelegatedAdmin(genAcctNameLocalPart("account"), domain);
/*     */     
/*     */ 
/*     */ 
/*     */ 
/* 210 */     Group GG1 = provUtil.createAdminGroup(genGroupNameLocalPart("GG1"), domain);
/* 211 */     Group GG2 = provUtil.createAdminGroup(genGroupNameLocalPart("GG2"), domain);
/* 212 */     Group GG3 = provUtil.createAdminGroup(genGroupNameLocalPart("GG3"), domain);
/* 213 */     Group GG4 = provUtil.createAdminGroup(genGroupNameLocalPart("GG4"), domain);
/* 214 */     Group GG5 = provUtil.createAdminGroup(genGroupNameLocalPart("GG5"), domain);
/* 215 */     Group GG6 = provUtil.createAdminGroup(genGroupNameLocalPart("GG6"), domain);
/*     */     
/* 217 */     prov.addGroupMembers(GG1, new String[] { account.getName(), GG2.getName() });
/* 218 */     prov.addGroupMembers(GG2, new String[] { account.getName(), GG3.getName() });
/* 219 */     prov.addGroupMembers(GG3, new String[] { account.getName() });
/* 220 */     prov.addGroupMembers(GG4, new String[] { account.getName(), GG5.getName() });
/* 221 */     prov.addGroupMembers(GG5, new String[] { account.getName(), GG6.getName() });
/* 222 */     prov.addGroupMembers(GG6, new String[] { account.getName() });
/*     */     
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/* 228 */     Account target = provUtil.createAccount(genAcctNameLocalPart("target"), domain);
/* 229 */     grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, GG1, right, ACLTestUtil.AllowOrDeny.ALLOW);
/* 230 */     grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, GG2, right, ACLTestUtil.AllowOrDeny.DENY);
/* 231 */     grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, GG3, right, ACLTestUtil.AllowOrDeny.ALLOW);
/* 232 */     grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, GG4, right, ACLTestUtil.AllowOrDeny.DENY);
/* 233 */     grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, GG5, right, ACLTestUtil.AllowOrDeny.ALLOW);
/* 234 */     grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, GG6, right, ACLTestUtil.AllowOrDeny.DENY);
/*     */     
/*     */ 
/*     */ 
/* 238 */     ACLTestUtil.TestViaGrant via = new ACLTestUtil.TestViaGrant(TargetType.account, target, GranteeType.GT_GROUP, GG2.getName(), right, true);
/* 239 */     via.addCanAlsoVia(new ACLTestUtil.TestViaGrant(TargetType.account, target, GranteeType.GT_GROUP, GG4.getName(), right, true));
/* 240 */     via.addCanAlsoVia(new ACLTestUtil.TestViaGrant(TargetType.account, target, GranteeType.GT_GROUP, GG6.getName(), right, true));
/* 241 */     verify(account, target, right, ACLTestUtil.AsAdmin.AS_ADMIN, ACLTestUtil.AllowOrDeny.DENY, via);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   @Test
/*     */   public void groupGranteeTest3()
/*     */     throws Exception
/*     */   {
/* 267 */     Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
/*     */     
/*     */ 
/*     */ 
/*     */ 
/* 272 */     Account authedAcct = globalAdmin;
/*     */     
/* 274 */     Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
/*     */     
/*     */ 
/*     */ 
/*     */ 
/* 279 */     Account account = provUtil.createDelegatedAdmin(genAcctNameLocalPart("account"), domain);
/*     */     
/*     */ 
/*     */ 
/*     */ 
/* 284 */     Group GA = provUtil.createAdminGroup(genGroupNameLocalPart("GA"), domain);
/* 285 */     Group GB = provUtil.createAdminGroup(genGroupNameLocalPart("GB"), domain);
/* 286 */     Group GC = provUtil.createAdminGroup(genGroupNameLocalPart("GC"), domain);
/*     */     
/* 288 */     prov.addGroupMembers(GA, new String[] { GB.getName() });
/* 289 */     prov.addGroupMembers(GB, new String[] { GC.getName() });
/* 290 */     prov.addGroupMembers(GC, new String[] { account.getName() });
/*     */     
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/* 298 */     Account target = provUtil.createAccount(genAcctNameLocalPart("target"), domain);
/*     */     
/* 300 */     Group G1 = provUtil.createDistributionList(genGroupNameLocalPart("G1"), domain);
/* 301 */     Group G2 = provUtil.createDistributionList(genGroupNameLocalPart("G2"), domain);
/* 302 */     Group G3 = provUtil.createDistributionList(genGroupNameLocalPart("G3"), domain);
/*     */     
/* 304 */     prov.addGroupMembers(G1, new String[] { G2.getName() });
/* 305 */     prov.addGroupMembers(G2, new String[] { G3.getName() });
/* 306 */     prov.addGroupMembers(G3, new String[] { target.getName() });
/*     */     
/* 308 */     grantRight(authedAcct, TargetType.dl, G1, GranteeType.GT_GROUP, GC, right, ACLTestUtil.AllowOrDeny.ALLOW);
/* 309 */     grantRight(authedAcct, TargetType.dl, G2, GranteeType.GT_GROUP, GB, right, ACLTestUtil.AllowOrDeny.DENY);
/* 310 */     grantRight(authedAcct, TargetType.dl, G3, GranteeType.GT_GROUP, GA, right, ACLTestUtil.AllowOrDeny.DENY);
/*     */     
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/* 319 */     ACLTestUtil.TestViaGrant via = new ACLTestUtil.TestViaGrant(TargetType.dl, G2, GranteeType.GT_GROUP, GB.getName(), right, true);
/* 320 */     via.addCanAlsoVia(new ACLTestUtil.TestViaGrant(TargetType.dl, G3, GranteeType.GT_GROUP, GA.getName(), right, true));
/* 321 */     verify(account, target, right, ACLTestUtil.AsAdmin.AS_ADMIN, ACLTestUtil.AllowOrDeny.DENY, via);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   @Test
/*     */   public void targetPrecedence()
/*     */     throws Exception
/*     */   {
/* 342 */     Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
/*     */     
/*     */ 
/*     */ 
/*     */ 
/* 347 */     Account authedAcct = globalAdmin;
/*     */     
/* 349 */     Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
/*     */     
/*     */ 
/*     */ 
/*     */ 
/* 354 */     Account grantee = provUtil.createDelegatedAdmin(genAcctNameLocalPart("grantee"), domain);
/*     */     
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/* 360 */     Account target = provUtil.createAccount(genAcctNameLocalPart("target"), domain);
/* 361 */     grantRight(authedAcct, TargetType.account, target, GranteeType.GT_USER, grantee, right, ACLTestUtil.AllowOrDeny.ALLOW);
/*     */     
/*     */ 
/* 364 */     DistributionList group1 = provUtil.createDistributionList(genGroupNameLocalPart("group1"), domain);
/* 365 */     DistributionList group2 = provUtil.createDistributionList(genGroupNameLocalPart("group2"), domain);
/* 366 */     prov.addMembers(group1, new String[] { group2.getName() });
/* 367 */     prov.addMembers(group2, new String[] { target.getName() });
/*     */     
/* 369 */     grantRight(authedAcct, TargetType.dl, group2, GranteeType.GT_USER, grantee, right, ACLTestUtil.AllowOrDeny.DENY);
/* 370 */     grantRight(authedAcct, TargetType.dl, group1, GranteeType.GT_USER, grantee, right, ACLTestUtil.AllowOrDeny.ALLOW);
/*     */     
/*     */ 
/* 373 */     grantRight(authedAcct, TargetType.domain, domain, GranteeType.GT_USER, grantee, right, ACLTestUtil.AllowOrDeny.DENY);
/*     */     
/*     */ 
/* 376 */     GlobalGrant globalGrant = prov.getGlobalGrant();
/* 377 */     grantRight(authedAcct, TargetType.global, null, GranteeType.GT_USER, grantee, right, ACLTestUtil.AllowOrDeny.ALLOW);
/*     */     
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/* 384 */     ACLTestUtil.TestViaGrant via = new ACLTestUtil.TestViaGrant(TargetType.account, target, GranteeType.GT_USER, grantee.getName(), right, false);
/* 385 */     verify(grantee, target, right, ACLTestUtil.AsAdmin.AS_ADMIN, ACLTestUtil.AllowOrDeny.ALLOW, via);
/*     */     
/*     */ 
/* 388 */     revokeRight(authedAcct, TargetType.account, target, GranteeType.GT_USER, grantee, right, ACLTestUtil.AllowOrDeny.ALLOW);
/* 389 */     via = new ACLTestUtil.TestViaGrant(TargetType.dl, group2, GranteeType.GT_USER, grantee.getName(), right, true);
/* 390 */     verify(grantee, target, right, ACLTestUtil.AsAdmin.AS_ADMIN, ACLTestUtil.AllowOrDeny.DENY, via);
/*     */     
/*     */ 
/* 393 */     revokeRight(authedAcct, TargetType.dl, group2, GranteeType.GT_USER, grantee, right, ACLTestUtil.AllowOrDeny.DENY);
/* 394 */     via = new ACLTestUtil.TestViaGrant(TargetType.dl, group1, GranteeType.GT_USER, grantee.getName(), right, false);
/* 395 */     verify(grantee, target, right, ACLTestUtil.AsAdmin.AS_ADMIN, ACLTestUtil.AllowOrDeny.ALLOW, via);
/*     */     
/*     */ 
/* 398 */     revokeRight(authedAcct, TargetType.dl, group1, GranteeType.GT_USER, grantee, right, ACLTestUtil.AllowOrDeny.ALLOW);
/* 399 */     via = new ACLTestUtil.TestViaGrant(TargetType.domain, domain, GranteeType.GT_USER, grantee.getName(), right, true);
/* 400 */     verify(grantee, target, right, ACLTestUtil.AsAdmin.AS_ADMIN, ACLTestUtil.AllowOrDeny.DENY, via);
/*     */     
/*     */ 
/* 403 */     revokeRight(authedAcct, TargetType.domain, domain, GranteeType.GT_USER, grantee, right, ACLTestUtil.AllowOrDeny.DENY);
/* 404 */     via = new ACLTestUtil.TestViaGrant(TargetType.global, globalGrant, GranteeType.GT_USER, grantee.getName(), right, false);
/* 405 */     verify(grantee, target, right, ACLTestUtil.AsAdmin.AS_ADMIN, ACLTestUtil.AllowOrDeny.ALLOW, via);
/*     */     
/*     */ 
/* 408 */     revokeRight(authedAcct, TargetType.global, null, GranteeType.GT_USER, grantee, right, ACLTestUtil.AllowOrDeny.ALLOW);
/* 409 */     via = null;
/* 410 */     verify(grantee, target, right, ACLTestUtil.AsAdmin.AS_ADMIN, ACLTestUtil.AllowOrDeny.DENY, via);
/*     */   }
/*     */ }


/* Location:              /home/mint/zimbrastore.jar!/com/zimbra/qa/unittest/prov/ldap/TestACLNegativeGrant.class
 * Java compiler version: 7 (51.0)
 * JD-Core Version:       0.7.1
 */